You’ve probably heard about a Logjam attack on Diffie-Hellman key exchange algorithm Here is a post by Jethro Beekman providing some details and suggessions on hardening your SSH server security.
Few days ago I’ve started playing around Twisted Python framework in general and Conch library which handles SSH connections in an event-based manner in particular.
I’ve tried few SSH client examples from Twisted site getting similar errors:
1 2 3 4 5 6
The problem is that twisted.conch.ssh.transport supports only two KeyExchange algorithms so far:
And they were excluded from the default list enabled key exchange algorithms. On my Fedora 22, Debian 8 nodes with OpenSSH 6.7 installed I have the following list by default:
1 2 3 4 5 6
There are few tickets with requests and proposals how to add stronger diffie-hellman algorithms support. But they don’t show any recent activity so I’m not sure this is going to be merged any time soon. Also I didn’t find anything about elliptic curve algorithms support at all.
Since I’m not brave nor skilled enough to dive into patching Twisted I’ve enabled diffie-hellman-group-exchange-sha1 algorithm support in SSH daemon settings on target nodes:
If you don’t want to sacrifice security you may consider generating your own moduli as suggested here:
1 2 3
With diffie-hellman-group-exchange-sha1 enabled SSH connections should not fail.